subject:"\[OE\-core\] \[pyro\]\[PATCH\] glibc\: Fix CVE\-2017\-1000366"

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

2017-12-12 Thread George McCollister

On Thu, Nov 30, 2017 at 9:16 AM, akuster808  wrote:
>
>
> On 11/21/2017 12:03 PM, George McCollister wrote:
>> Add backported patches from the upstream release/2.25/master branch to
>> fix CVE-2017-1000366. Also add a backported patch that resolves SSE
>> related build problems introduced by these patches.
>
> Thanks for the patch. This series causes an error when: bitbake
> core-image-sato -c populate_sdk, so its on hold.
>

Sorry for the delay, this got buried in my inbox and I didn't see it
until today (updated email filters so it shouldn't happen again).

The problem here is that
0003-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch is
applied first and also touches elf/rtld.c. This causes the patches in
this series to be applied incorrectly against nativesdk-glibc. The
fact that the nativesdk patches are applied before the base patches is
a bit concerning as it could cause other problems as well. It seems
like it would be much safer to apply the base patches then apply the
nativesdk patches to avoid conflicts. Your thoughts?
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

2017-11-30 Thread akuster808

On 11/21/2017 12:03 PM, George McCollister wrote:
> Add backported patches from the upstream release/2.25/master branch to
> fix CVE-2017-1000366. Also add a backported patch that resolves SSE
> related build problems introduced by these patches.

Thanks for the patch. This series causes an error when: bitbake
core-image-sato -c populate_sdk, so its on hold.

t -MT
/build/build_artifacts/pyro/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-glibc/2.25-r0/build-x86_64-pokysdk-linux/elf/dl-runtime.os
| cc1: all warnings being treated as errors
| ../o-iterator.mk:9: recipe for target
'/build/build_artifacts/pyro/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-glibc/2.25-r0/build-x86_64-pokysdk-linux/elf/rtld.os'
failed
| make[2]: ***
[/build/build_artifacts/pyro/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-glibc/2.25-r0/build-x86_64-pokysdk-linux/elf/rtld.os]
Error 1
| make[2]: *** Waiting for unfinished jobs
| make[2]: Leaving directory
'/build/build_artifacts/pyro/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-glibc/2.25-r0/git/elf'
| Makefile:235: recipe for target 'elf/subdir_lib' failed
| make[1]: *** [elf/subdir_lib] Error 2
| make[1]: Leaving directory
'/build/build_artifacts/pyro/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-glibc/2.25-r0/git'
| Makefile:9: recipe for target 'all' failed
| make: *** [all] Error 2
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_compile (log file is located at
/build/build_artifacts/pyro/tmp/work/x86_64-nativesdk-pokysdk-linux/nativesdk-glibc/2.25-r0/temp/log.do_compile.24883)
ERROR: Task
(virtual:nativesdk:/home/akuster/OE/pyro/poky-contrib/meta/recipes-core/glibc/glibc_2.25.bb:do_compile)
failed with exit code '1'

>
> Signed-off-by: George McCollister 
> ---
>  ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  70 +++
>  ...ject-overly-long-LD_PRELOAD-path-elements.patch | 144 +
>  ...Reject-overly-long-LD_AUDIT-path-elements.patch | 230 
> +
>  ...ssing-IS_IN-libc-guards-to-vectorized-str.patch |  62 ++
>  meta/recipes-core/glibc/glibc_2.25.bb  |   4 +
>  5 files changed, 510 insertions(+)
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0030-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0031-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch
>
> diff --git 
> a/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
>  
> b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
> new file mode 100644
> index 00..0178d50ff0
> --- /dev/null
> +++ 
> b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
> @@ -0,0 +1,70 @@
> +From 4002021818bc31aec9b353c6e13ce9f82e84cd38 Mon Sep 17 00:00:00 2001
> +From: Florian Weimer 
> +Date: Mon, 19 Jun 2017 18:31:27 +0200
> +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> + programs [BZ #21624]
> +
> +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> +is not useful functionality.
> +
> +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> +for AT_SECURE=1 programs.
> +
> +(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
> +
> +Upstream-Status: Backport
> +https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d
> +
> +CVE: CVE-2017-1000366
> +
> +Signed-off-by: George McCollister 
> +---
> + ChangeLog  | 7 +++
> + NEWS   | 1 +
> + elf/rtld.c | 3 ++-
> + 3 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index f140ee67de..7bfdf45bb5 100644
> +--- a/ChangeLog
>  b/ChangeLog
> +@@ -1,3 +1,10 @@
> ++2017-06-19  Florian Weimer  
> ++
> ++[BZ #21624]
> ++CVE-2017-1000366
> ++* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
> ++__libc_enable_secure.
> ++
> + 2017-02-05  Siddhesh Poyarekar  
> + 
> + * version.h (RELEASE): Set to "stable"
> +diff --git a/NEWS b/NEWS
> +index ec15dde761..f7d38536d6 100644
> +--- a/NEWS
>  b/NEWS
> +@@ -5,6 +5,7 @@ See the end for copying conditions.
> + Please send GNU C library bug reports via 
> + using `glibc' in the "product" field.
> + 
> ++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
> (CVE-2017-1000366)
> + Version 2.25
> + 
> + * The feature test macro __STDC_WANT_LIB_EXT2__, from ISO/IEC TR
> +diff --git a/elf/rtld.c b/elf/rtld.c
> +index a036ece956..2fc33a6178 100644

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

2017-11-24 Thread akuster808

in stable/pyro-next


On 11/21/2017 12:03 PM, George McCollister wrote:
> Add backported patches from the upstream release/2.25/master branch to
> fix CVE-2017-1000366. Also add a backported patch that resolves SSE
> related build problems introduced by these patches.
>
> Signed-off-by: George McCollister 
> ---
>  ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  70 +++
>  ...ject-overly-long-LD_PRELOAD-path-elements.patch | 144 +
>  ...Reject-overly-long-LD_AUDIT-path-elements.patch | 230 
> +
>  ...ssing-IS_IN-libc-guards-to-vectorized-str.patch |  62 ++
>  meta/recipes-core/glibc/glibc_2.25.bb  |   4 +
>  5 files changed, 510 insertions(+)
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0030-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
>  create mode 100644 
> meta/recipes-core/glibc/glibc/0031-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch
>
> diff --git 
> a/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
>  
> b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
> new file mode 100644
> index 00..0178d50ff0
> --- /dev/null
> +++ 
> b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
> @@ -0,0 +1,70 @@
> +From 4002021818bc31aec9b353c6e13ce9f82e84cd38 Mon Sep 17 00:00:00 2001
> +From: Florian Weimer 
> +Date: Mon, 19 Jun 2017 18:31:27 +0200
> +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> + programs [BZ #21624]
> +
> +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> +is not useful functionality.
> +
> +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> +for AT_SECURE=1 programs.
> +
> +(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
> +
> +Upstream-Status: Backport
> +https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d
> +
> +CVE: CVE-2017-1000366
> +
> +Signed-off-by: George McCollister 
> +---
> + ChangeLog  | 7 +++
> + NEWS   | 1 +
> + elf/rtld.c | 3 ++-
> + 3 files changed, 10 insertions(+), 1 deletion(-)
> +
> +diff --git a/ChangeLog b/ChangeLog
> +index f140ee67de..7bfdf45bb5 100644
> +--- a/ChangeLog
>  b/ChangeLog
> +@@ -1,3 +1,10 @@
> ++2017-06-19  Florian Weimer  
> ++
> ++[BZ #21624]
> ++CVE-2017-1000366
> ++* elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
> ++__libc_enable_secure.
> ++
> + 2017-02-05  Siddhesh Poyarekar  
> + 
> + * version.h (RELEASE): Set to "stable"
> +diff --git a/NEWS b/NEWS
> +index ec15dde761..f7d38536d6 100644
> +--- a/NEWS
>  b/NEWS
> +@@ -5,6 +5,7 @@ See the end for copying conditions.
> + Please send GNU C library bug reports via 
> + using `glibc' in the "product" field.
> + 
> ++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
> (CVE-2017-1000366)
> + Version 2.25
> + 
> + * The feature test macro __STDC_WANT_LIB_EXT2__, from ISO/IEC TR
> +diff --git a/elf/rtld.c b/elf/rtld.c
> +index a036ece956..2fc33a6178 100644
> +--- a/elf/rtld.c
>  b/elf/rtld.c
> +@@ -2418,7 +2418,8 @@ process_envvars (enum mode *modep)
> + 
> + case 12:
> +   /* The library search path.  */
> +-  if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> ++  if (!__libc_enable_secure
> ++  && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> + {
> +   library_path = [13];
> +   break;
> +-- 
> +2.15.0
> +
> diff --git 
> a/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
>  
> b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
> new file mode 100644
> index 00..142bd86d2f
> --- /dev/null
> +++ 
> b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
> @@ -0,0 +1,144 @@
> +From d4fe2023bb908b85d577ac3843acd44bada330ce Mon Sep 17 00:00:00 2001
> +From: Florian Weimer 
> +Date: Mon, 19 Jun 2017 22:31:04 +0200
> +Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
> +
> +(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
> +
> +Upstream-Status: Backport
> +https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd
> +
> +CVE: CVE-2017-1000366
> +
> +Signed-off-by: George McCollister 
> +---
> + ChangeLog  |  7 ++
> + elf/rtld.c | 82 
>

[OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

2017-11-21 Thread George McCollister

Add backported patches from the upstream release/2.25/master branch to
fix CVE-2017-1000366. Also add a backported patch that resolves SSE
related build problems introduced by these patches.

Signed-off-by: George McCollister 
---
 ...00366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch |  70 +++
 ...ject-overly-long-LD_PRELOAD-path-elements.patch | 144 +
 ...Reject-overly-long-LD_AUDIT-path-elements.patch | 230 +
 ...ssing-IS_IN-libc-guards-to-vectorized-str.patch |  62 ++
 meta/recipes-core/glibc/glibc_2.25.bb  |   4 +
 5 files changed, 510 insertions(+)
 create mode 100644 
meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0030-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
 create mode 100644 
meta/recipes-core/glibc/glibc/0031-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch

diff --git 
a/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
 
b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
new file mode 100644
index 00..0178d50ff0
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0028-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,70 @@
+From 4002021818bc31aec9b353c6e13ce9f82e84cd38 Mon Sep 17 00:00:00 2001
+From: Florian Weimer 
+Date: Mon, 19 Jun 2017 18:31:27 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=3c7cd21290cabdadd72984fb69bc51e64ff1002d
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister 
+---
+ ChangeLog  | 7 +++
+ NEWS   | 1 +
+ elf/rtld.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index f140ee67de..7bfdf45bb5 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  
++
++  [BZ #21624]
++  CVE-2017-1000366
++  * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
++  __libc_enable_secure.
++
+ 2017-02-05  Siddhesh Poyarekar  
+ 
+   * version.h (RELEASE): Set to "stable"
+diff --git a/NEWS b/NEWS
+index ec15dde761..f7d38536d6 100644
+--- a/NEWS
 b/NEWS
+@@ -5,6 +5,7 @@ See the end for copying conditions.
+ Please send GNU C library bug reports via 
+ using `glibc' in the "product" field.
+ 
++  [21624] Unsafe alloca allows local attackers to alias stack and heap 
(CVE-2017-1000366)
+ Version 2.25
+ 
+ * The feature test macro __STDC_WANT_LIB_EXT2__, from ISO/IEC TR
+diff --git a/elf/rtld.c b/elf/rtld.c
+index a036ece956..2fc33a6178 100644
+--- a/elf/rtld.c
 b/elf/rtld.c
+@@ -2418,7 +2418,8 @@ process_envvars (enum mode *modep)
+ 
+   case 12:
+ /* The library search path.  */
+-if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++if (!__libc_enable_secure
++&& memcmp (envline, "LIBRARY_PATH", 12) == 0)
+   {
+ library_path = [13];
+ break;
+-- 
+2.15.0
+
diff --git 
a/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
 
b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
new file mode 100644
index 00..142bd86d2f
--- /dev/null
+++ 
b/meta/recipes-core/glibc/glibc/0029-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,144 @@
+From d4fe2023bb908b85d577ac3843acd44bada330ce Mon Sep 17 00:00:00 2001
+From: Florian Weimer 
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
+
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=46703a3995aa3ca2b816814aa4ad05ed524194dd
+
+CVE: CVE-2017-1000366
+
+Signed-off-by: George McCollister 
+---
+ ChangeLog  |  7 ++
+ elf/rtld.c | 82 ++
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 7bfdf45bb5..0aff2bd347 100644
+--- a/ChangeLog
 b/ChangeLog
+@@ -1,3 +1,10 @@
++2017-06-19  Florian Weimer  
++
++  * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

Re: [OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

[OE-core] [pyro][PATCH] glibc: Fix CVE-2017-1000366

4 matches

Site Navigation

Mail list logo

Footer information